Resolving a Mutual TLS session resumption vulnerability
On January 23, 2025, Cloudflare was notified via its Bug Bounty Program of a vulnerability in Cloudflare’s Mutual TLS (mTLS) implementation.
The vulnerability affected customers who were using mTLS and involved a flaw in our session resumption handling. Cloudflare’s investigation revealed no evidence that the vulnerability was being actively exploited. And tracked as CVE-2025-23419, Cloudflare mitigated the vulnerability within 32 hours after being notified. Customers who were using Cloudflare’s API shield in conjunction with WAF custom rules that validated the issuer's Subject Key Identifier (SKI) were not vulnerable. Access policies such as identity verification, IP address restrictions, and device posture assessments were also not vulnerable.
The bug bounty report detailed that a client with a valid mTLS certificate for one Cloudflare zone could use the same certificate to resume a TLS session with another Cloudflare zone using mTLS, without having to authenticate the certificate with the second zone.
Cloudflare customers can implement mTLS through Cloudflare API Shield with Custom Firewall Rules and the Cloudflare Zero Trust product suite. Cloudflare establishes the TLS session with the client and forwards the client certificate to Cloudflare’s Firewall or Zero Trust products, where customer policies are enforced.
mTLS operates Continue reading
Amazon Will Spend Nearly A Year Of AWS Revenue On AI Investments
There is a bit of AI spending one-upmanship going on among the hyperscalers and cloud builders – and now the foundation model builders who are partnering with their new sugar daddies to be able to afford to build vast AI accelerator estates to push the state of the art in model capabilities and intelligence. …
Amazon Will Spend Nearly A Year Of AWS Revenue On AI Investments was written by Timothy Prickett Morgan at The Next Platform.
TNO015: Revolutionizing Telecom with NetOps Automation and Collaboration
Today’s episode with guest Joan Garcia provides valuable insights into the complexities of modern network operations at a telco, the importance of collaboration across technical domains, and the strategic decisions that drive innovation in the telecom industry. Joan’s experiences and perspectives offer ideas for navigating the challenges of integrating different layers of network architecture while... Read more »Hedge 258: pyATS and Testing Through Automation
We often think of network automation as a configuration tool, but automation can also be used for one-off, integration, and even continuous testing. Dan Wade joins Tom Ammon and Russ White to talk about pyATS and the concept of automated testing. To find out more about pyATS, check here.
Cloudflare incident on February 6, 2025
Multiple Cloudflare services, including our R2 object storage, were unavailable for 59 minutes on Thursday, February 6, 2025. This caused all operations against R2 to fail for the duration of the incident, and caused a number of other Cloudflare services that depend on R2 — including Stream, Images, Cache Reserve, Vectorize and Log Delivery — to suffer significant failures.
The incident occurred due to human error and insufficient validation safeguards during a routine abuse remediation for a report about a phishing site hosted on R2. The action taken on the complaint resulted in an advanced product disablement action on the site that led to disabling the production R2 Gateway service responsible for the R2 API.
Critically, this incident did not result in the loss or corruption of any data stored on R2.
We’re deeply sorry for this incident: this was a failure of a number of controls, and we are prioritizing work to implement additional system-level controls related not only to our abuse processing systems, but so that we continue to reduce the blast radius of any system- or human- action that could result in disabling any production service at Cloudflare.
How Much Money Does Arm Make In The Datacenter?
As we have been saying for quite some time, when it comes to datacenter CPUs, we think that homegrown Arm processors (as well as those made by independents Ampere Computing and Huawei Technologies) will eventually represent at least half of the computing capacity that the hyperscalers and major cloud builders install. …
How Much Money Does Arm Make In The Datacenter? was written by Timothy Prickett Morgan at The Next Platform.
IPB168: Deploying IPv6-Only Wi-Fi at the SC24 Conference
Want to know how an IPv6-only wireless network was deployed at a conference with 18,000 attendees? Join us as we talk through the technical details with Tom Costello, a senior network engineer at Argonne National Laboratory. Tom volunteers at the International Conference for High Performance Computing, Networking, Storage and Analysis (SC for short) to help... Read more »N4N012: Russ White On Why We Need Network Models
Why do we need network models such as OSI? Network architect and author Russ White joins Holly and Ethan to talk about how network models can help engineers ask intelligent questions and understand networking problems. And OSI isn’t your only option–Russ digs into the RINA model and how it compares to OSI (which we covered... Read more »The Metadata Advantage: Unlocking insights And Efficiency In Enterprise IT
COMMISSIONED: When it comes to enterprise IT infrastructure, metadata is the secret asset most people don’t think about. …
The Metadata Advantage: Unlocking insights And Efficiency In Enterprise IT was written by Timothy Prickett Morgan at The Next Platform.
Automation Workflow with Infrahub, Nornir & Jinja2
Originally published in https://www.opsmill.com/simplifying-network-automation-workflows-with-infrahub-nornir-and-jinja2/
In this blog post, we will explore how InfraHub integrates with Jinja2 and Nornir to simplify network automation workflows. To demonstrate, we'll add two Arista devices to InfraHub, treating them as basic access switches. We'll then input the necessary details for these devices to generate configurations. We'll focus on creating VLAN and some interface configurations to keep it simple.
For each device, we'll assign a primary IP (used for SSH), configure a few interfaces with descriptions, and specify an untagged VLAN for each interface. Additionally, we'll define these VLANs globally in InfraHub (not tied to any specific device). A Jinja2 template will then use this information to generate configurations for each device. Finally, we'll use the nornir-infrahub plugin as the inventory source and Napalm to push the generated configurations to each device.
Getting Started with Infrahub
If you’re in the network automation space or attended one of the last two Autocon events, you might have come across a new tool called ‘Infrahub’ from OpsMill
Suresh Vina
Prerequisites
This blog post assumes you are somewhat familiar with Git and Docker. If you’re new to InfraHub, don’t worry, you should still be able to follow Continue reading
Group Similar Links in netlab Topologies
In the Concise Link Descriptions blog post, I described various data formats that you could use to concisely list nodes attached to a link. Today, we’ll focus on a mechanism that helps you spot errors in your topology: a dictionary of links.
Imagine you have a large topology with dozens of links, and you get an error saying, “there is this problem with links[17]”. It must be great fun counting the links to find which one triggered the error, right?
Trying to Automate Palo Alto Firewall Objects/Rules Cleanup
In this blog post, we will walk you through how to clean up Palo Alto Firewall Objects and Rules using a simple Python script. The script is designed to search for a specific IP address or an entire subnet and remove any associated references.
The Problem
Have you ever found yourself in a situation where you've decommissioned a server or maybe even an entire subnet, and now you're faced with the task of cleaning up your firewall? If you're using Palo Alto, you probably know that you can't just remove an address object; you first need to eliminate all its references from address groups and rules.
This can become especially cumbersome if a single object is referenced in multiple places—you'll have to remove them one by one. Now, imagine having to do this for an entire subnet where multiple objects are involved. If this sounds familiar, read on to find out how to make this process easier using a simple Python Script.
If you are looking for a more sophisticated solution, feel free to check my other blog post on how to achieve this via the 'pan-os-php' library.
Palo Alto Object and Policy Cleanup with pan-os-php
If you work with Continue reading
Skepticism About AI Use Does Not Yet Negate The Appetite For AI Hardware
People – and when we say “people” we mean “Wall Street” as well as individual investors – sometimes have unreasonable expectations. …
Skepticism About AI Use Does Not Yet Negate The Appetite For AI Hardware was written by Timothy Prickett Morgan at The Next Platform.
D2DO264: Serverless Goes Mainstream
Serverless is mature enough now to be a mainstream choice for application development. But that doesn’t mean interesting things aren’t happening. Benjamen Pyle joins Kyler and Ned on Day Two DevOps to talk about the potential for small vendors and startups to develop high-quality services purpose-built to solve specific problems. They also discuss the benefits... Read more »Cloudflare’s commitment to advancing Public Sector security worldwide by pursuing FedRAMP High, IRAP, and ENS
Today, we announced our commitment to achieving the US Federal Risk and Authorization Management Program (FedRAMP) - High, Australian Infosec Registered Assessors Program (IRAP), and Spain’s Esquema Nacional de Seguridad (ENS) as part of Cloudflare for Government. As more and more essential services are being shifted to the Internet, ensuring that governments and regulated industries have industry standard tools is critical for ensuring their uptime, reliability and performance.
Cloudflare’s network spans more than 330 cities in over 120 countries, where we interconnect with approximately 13,000 network providers in order to provide a broad range of services to millions of customers. Our network is our greatest strength to provide resiliency, security, and performance. So instead of creating a siloed government network that has limited access to our products and services, we decided to build the unique government compliance capabilities directly into our platform from the very beginning. We accomplished this by delivering critical controls in three key areas: traffic processing, management, and metadata storage.
The benefit of running the same software across our entire network is that it enables us to leverage our global footprint, and then make smart choices about how to Continue reading
Please Wait While We’re Preparing Your Interfaces
Once a virtual machine running a network operating system boots, you’d expect its data-plane interfaces to be operational, right? Some vendors disagree. It takes over a minute for some network operating systems to figure out they have this thing called interfaces.1
I would love to figure out what takes them so long (a minute is an eternity on modern CPUs), but I guess we’ll never know.
Behind the Scenes
netlab uses two device provisioning mechanisms: it can start virtual machines with Vagrant or containers with containerlab. Some of those containers might use KVM/QEMU to run a hidden virtual machine (see also: RFC 1925 rule 6a).
AMD Moves Up Instinct MI355X Launch As Datacenter Biz Hits Records
When we first started The Next Platform a decade ago, there was not really much of a reason to cover the company’s datacenter efforts. …
AMD Moves Up Instinct MI355X Launch As Datacenter Biz Hits Records was written by Timothy Prickett Morgan at The Next Platform.